How do I start Amazon Web Services monitoring?

Before you begin

What you need:

  • Your Amazon Web Services account ID.

  • Rights to assign role-based access to your AWS account, or

  • Your Amazon Access key ID and Secret access key.

  • Dynatrace AWS account name: 509560245411

Amazon may charge $0.01 per 1,000 requests for CloudWatch API access after the number of requests exceeds 1 million.

After 1 million requests, Amazon will begin charging you for each request and include the cost in your AWS bill.

Dynatrace makes Amazon API requests every 5 minutes. We make one API call per metric. Here’s a rough estimate of AWS monitoring costs:

AWS service Number of metrics Daily cost per instance (USD)
Elastic Compute Cloud (EC2) 7 $0.02016
Elastic Block Store (EBS) 8 $0.02304
Elastic Load Balancer (ELB) 11 $0.03168
Relational Database Service (RDS) 11 $0.03168
DynamoDB 15 $0.06912
Lambda 4 $0.01152

Enable access to your Amazon account

To get the information required for comprehensive AWS cloud-computing monitoring, Dynatrace needs to identify all the virtualized infrastructure components that are in your AWS environment and collect performance metrics related to those components. We use this information to understand the context of your applications, services, and hosts. For this to happen, you need to authorize Dynatrace to access your Amazon metrics. 

You can enable Dynatrace access to your AWS metrics based on either user roles or access keys:  

Create role-based access

Go to Identity and Access Management (IAM) in your Amazon Console.

Go to Roles and create a new role for Dynatrace

Select the Role for Cross-Account Access type and then allow IAM users from a 3rd party AWS account to access your account.

Establish trust with the Dynatrace account.
Type 509560245411 as the Account ID that can access your account.
Take note of the External ID, you’ll need it later.

Skip attaching existing policy by going to next step.

In the Review page click Create Role.

In Permissions expand Inline Policies, and then follow the instructions:

  • In Set Permissions select Custom Policy.

  • Create the policy. In the field for Policy Name provide a name for the policy (for example “Watch-policy”) and in Policy Document paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "rds:DescribeDBInstances",
        "rds:List*",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "lambda:ListFunctions",
        "lambda:GetFunction",
        "elasticbeanstalk:DescribeEnvironments",
        "elasticbeanstalk:DescribeEnvironmentResources",
        "s3:List*",
        "s3:Get*",
	"sts:GetCallerIdentity"
       ],
      "Resource": "*"
    }
  ]
}
  • Click the Apply Policy button.

For more complete instructions, please see Amazon Identity and Access Management (IAM) documentation.

Create key-based access

Dynatrace can use access keys to make secure REST or Query protocol requests to the AWS service API. You’ll need to generate an Access key ID and a Secret access key that Dynatrace can use to get metrics from Amazon Web Services.

Go to Identity and Access Management (IAM) in your Amazon Console.

Go to Users and click Create New Users.

Enter a name for the key you want to create (for example “keyWatch” or “key-Dynatrace-AWS-monitoring”) and keep “Generate an access key for each user” selected. Then press the Create button.

Store the key name (AKID) and secret access key value.
You can either download the user credentials or copy the credentials displayed online (click Show user credentials ).

Close the user creation panel and search for the newly created user.

In Permissions expand Inline Policies, and then follow the instructions:

  • In Set Permissions select Custom Policy.

  • Create the policy.
    In the field for Policy Name provide a name for the policy (for example “Watch-policy”) and in Policy Document paste the following policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:Describe*",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "ec2:Describe*",
            "elasticloadbalancing:Describe*",
            "rds:DescribeDBInstances",
            "rds:List*",
            "dynamodb:DescribeTable",
            "dynamodb:ListTables",
            "lambda:ListFunctions",
            "lambda:GetFunction",
            "elasticbeanstalk:DescribeEnvironments",
            "elasticbeanstalk:DescribeEnvironmentResources",
            "s3:List*",
            "s3:Get*",
    	"sts:GetCallerIdentity"
           ],
          "Resource": "*"
        }
      ]
    }
    
  • Finish by clicking the Apply Policy button.

For more complete instructions, please see the Amazon Getting Started Guide.

Connect your Amazon account to Dynatrace

Once you determine which access approach best serves your needs (role-based or key-based access) and you’ve granted AWS access to Dynatrace, it’s time to connect Dynatrace to your  Amazon AWS account.

Go to Settings > Virtualization & cloud and click Add new instance.

Select either the AWS (role based) or AWS (key based) tab to open the appropriate connection details form.

Create a connection based on role authentication
  • In the Role field, type the name of the role you created in Amazon for Dynatrace.
  • Type your Account ID (the account you want us to pull metrics from).
  • Type the External ID that you created in Amazon for Dynatrace access.
  • Lastly, create a name for this connection. If you leave this field empty the name Role will be used on Dynatrace pages to define this connection.
  • Click Connect to verify and save the connection.
Create a connection based on key authentication
  • In the Access key ID field, paste the key you created in Amazon for Dynatrace access.
  • In the Secret access key field, paste the key you created in Amazon for Dynatrace access.
  • Lastly, create a name for this connection. This is mandatory. Dynatrace needs this name to identify and display the connection.
  • Click Connect to verify and save the connection.

Once the connection is successfully verified and saved, your AWS account will be listed on the Virtualization & cloud settings page.
You should soon begin to see AWS cloud monitoring data.

AWS resource tagging

Have questions about tag-based AWS monitoring? For details see How do I tag AWS resources?